Update: Outlook Express 6.0 offers a "Read
all messages as plain text" option.
This is a good alternative to disabling the preview pane.

This screen shot shows the Outlook
Express
window as it's usually set up. The
selected
message is already visible in the preview pane before the message is "opened".
If malicious code was integrated with the
message, the damage would have already been
done.

To make Outlook or OE much more secure, change
your "layout" so there is no preview
pane:

Click View > Layout... in the menu of
Outlook Express. You'll get a "Window
Layout Properties" dialog window like
the one at the left. Click to clear the check
mark in the box in front of "Show preview
pane" (as shown here). Then click OK.
Now you're all set.

Now you can examine the message list before
you open any of them. If you see any that
are suspicious, delete them, or use a passive
viewer to examine them. See instructions below for using the passive viewer in Outlook
Express.

Update: If you've applied the security patches you
can set OE 6.0 to read email as plain text,
which is an excellent way to neutralize malicious
content. In the menu, click Tools > Options
> Read (tab) > put a checkmark in the
"Read all messages in plain text"
box > click OK. You may need to temporarily reverse the setting
for messages that you receive in HTML format
though. Just be sure you know they are good
before you view them.

There's a passive viewer built right into
Outlook Express. You can safely use it to
open/view any email message because it cannot
take any action beyond displaying the characters
in the message -- even if the message contains
a malicious file.

To use the viewer (see the figure below):
Right-click the suspicious message in your Inbox message
list. Select Properties from the context menu that appears. Click
"Message Source..." in the message properties dialog box.
The small window that opens is the passive
viewer. Maximize this window (to full size).
The Bold font text in the message "source"
is the message header. The regular font text
is the message body. If the body is not just
plain English, the content could be malicious.
Close the windows you just opened and take
appropriate action. (For example, if the
message is suspicious, right-click the message description again, and choose
delete.)